Start migration to using flake-parts

features-nixos/base/auto-upgrade.nix

@@ -0,0 +1,18 @@
+{
+  flake.nixosModules.base = {
+    inputs,
+    config,
+    ...
+  }: {
+    system.hydraAutoUpgrade = {
+      # Only enable if not dirty
+      enable = inputs.self ? rev;
+      dates = "*:0/10"; # Every 10 minutes
+      instance = "http://hydra.julian-mutter.de";
+      project = "dotfiles";
+      jobset = "main";
+      job = "hosts.${config.networking.hostName}";
+      oldFlakeRef = "self";
+    };
+  };
+}

features-nixos/base/default.nix

@@ -0,0 +1,40 @@
+# Common config for all hosts
+{
+  flake.nixosModules.base = {
+    inputs,
+    outputs,
+    pkgs,
+    lib,
+    ...
+  }: {
+    imports = [
+      inputs.home-manager.nixosModules.home-manager
+    ];
+
+    # Replaces the (modulesPath + "/installer/scan/not-detected.nix") from default hardware-configuration.nix
+    # Enables non-free firmware
+    hardware.enableRedistributableFirmware = true;
+
+    # Networking
+    networking.networkmanager = {
+      enable = true;
+      plugins = with pkgs; [
+        networkmanager-openconnect
+      ];
+    };
+    services.resolved.enable = false;
+    # MDNS Taken by avahi
+    # networking.networkmanager.dns = "none";
+    networking.nameservers = lib.mkDefault [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
+
+    # HM module
+    home-manager.useGlobalPkgs = true; # hm module uses the pkgs of the nixos config
+    home-manager.backupFileExtension = "hm-backup"; # backup conflicting files. So hm activation never fails
+    home-manager.extraSpecialArgs = {
+      inherit inputs outputs;
+    };
+  };
+}

features-nixos/base/fish.nix

@@ -0,0 +1,12 @@
+{
+  flake.nixosModules.base = {
+    programs.fish = {
+      enable = true;
+      vendor = {
+        completions.enable = true;
+        config.enable = true;
+        functions.enable = true;
+      };
+    };
+  };
+}

features-nixos/base/locale.nix

@@ -0,0 +1,28 @@
+{
+  flake.nixosModules.base = {
+    # Select internationalisation properties.
+    i18n.defaultLocale = "en_US.UTF-8";
+
+    i18n.extraLocaleSettings = {
+      LC_ADDRESS = "de_DE.UTF-8";
+      LC_IDENTIFICATION = "de_DE.UTF-8";
+      LC_MEASUREMENT = "de_DE.UTF-8";
+      LC_MONETARY = "de_DE.UTF-8";
+      LC_NAME = "de_DE.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "de_DE.UTF-8";
+      LC_TELEPHONE = "de_DE.UTF-8";
+      LC_TIME = "de_DE.UTF-8";
+    };
+
+    # Keymap
+    services.xserver.xkb = {
+      layout = "de";
+      variant = "";
+    };
+
+    console.keyMap = "de";
+
+    time.timeZone = "Europe/Berlin";
+  };
+}

features-nixos/base/nix.nix

@@ -0,0 +1,48 @@
+{
+  flake.nixosModules.base = {outputs, ...}: {
+    # Apply overlays
+    nixpkgs = {
+      # TODO: apply this to hm and nixos without duplicate code
+      overlays = builtins.attrValues outputs.overlays;
+      config = {
+        nvidia.acceptLicense = true;
+        allowUnfree = true;
+        allowUnfreePredicate = _: true; # TODO: what is this
+        warn-dirty = false;
+        permittedInsecurePackages = [
+          "olm-3.2.16"
+        ];
+      };
+    };
+
+    # optimize at every build, slows down builds
+    # better to do optimise.automatic for regular optimising
+    # nix.settings.auto-optimise-store = lib.mkDefault true;
+    nix.settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "ca-derivations"
+    ];
+    # warn-dirty = false;
+
+    nix.gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+      persistent = true;
+    };
+    nix.optimise = {
+      automatic = true;
+      dates = ["weekly"]; # Optional; allows customizing optimisation schedule
+      persistent = true;
+    };
+
+    programs.nix-ld.enable = true;
+
+    # TODO: is this useful?, what does it do?
+    # nix.settings.flake-registry = ""; # Disable global flake registry
+    # Add each flake input as a registry and nix_path
+    # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+    # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}

features-nixos/base/root.nix

@@ -0,0 +1,11 @@
+{
+  flake.nixosModules.base = {pkgs, ...}: {
+    # Packages needed as root
+    environment.systemPackages = with pkgs; [
+      vim
+      htop
+      mc
+      gparted-xhost # needs to be installed as system package so it can be actually opened
+    ];
+  };
+}

features-nixos/base/sops/sops.nix

@@ -0,0 +1,24 @@
+{
+  flake.nixosModules.base = {
+    inputs,
+    config,
+    ...
+  }: let
+    isEd25519 = k: k.type == "ed25519";
+    getKeyPath = k: k.path;
+    keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+  in {
+    imports = [inputs.sops-nix.nixosModules.sops];
+
+    sops.age = {
+      sshKeyPaths = map getKeyPath keys;
+
+      # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
+      # keyFile = "/home/julian/.config/sops/age/keys.txt";
+      # Generate key if none of the above worked. With this, building will still work, just without secrets
+      generateKey = false; # TODO: building should not work without secrets!?
+    };
+
+    sops.defaultSopsFile = ./secrets.yaml;
+  };
+}

features-nixos/optional/authentication.nix

@@ -0,0 +1,31 @@
+{
+  flake.nixosModules.authentication = {
+    pkgs,
+    lib,
+    ...
+  }: {
+    # Make programs like nextcloud client access saved passwords
+    services.gnome.gnome-keyring.enable = true;
+
+    programs.seahorse.enable = true;
+    programs.ssh.askPassword = lib.mkForce "${pkgs.seahorse}/libexec/seahorse/ssh-askpass"; # Solve conflicting definition in seahorse and plasma6
+
+    # Make authentication work for e.g. gparted
+    security.polkit.enable = true;
+    systemd = {
+      user.services.polkit-gnome-authentication-agent-1 = {
+        description = "polkit-gnome-authentication-agent-1";
+        wantedBy = ["graphical-session.target"];
+        wants = ["graphical-session.target"];
+        after = ["graphical-session.target"];
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
+          Restart = "on-failure";
+          RestartSec = 1;
+          TimeoutStopSec = 10;
+        };
+      };
+    };
+  };
+}

features-nixos/optional/avahi.nix

@@ -0,0 +1,14 @@
+{
+  flake.nixosModules.avahi = {
+    # MDNS on local network
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      nssmdns6 = true;
+      publish.enable = true;
+      publish.addresses = true;
+      ipv4 = true;
+      ipv6 = true;
+    };
+  };
+}

features-nixos/optional/binarycaches.nix

@@ -0,0 +1,33 @@
+{
+  flake.nixosModules.binarycaches = {
+    lib,
+    outputs,
+    ...
+  }: {
+    # Setup binary caches
+    nix.settings = {
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+        "https://hyprland.cachix.org"
+        "http://binarycache.julian-mutter.de"
+        "https://devenv.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
+      ];
+
+      trusted-users = [
+        "root"
+        "@wheel"
+      ]; # needed for devenv to add custom caches
+
+      # Ensure we can still build when missing-server is not accessible
+      fallback = true;
+    };
+  };
+}

features-nixos/optional/boot-efi.nix

@@ -0,0 +1,19 @@
+{
+  flake.nixosModules.boot-efi = {
+    # Bootloader
+    # Use this for simple nix boot menu, if no dual boot required
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.systemd-boot.configurationLimit = 10;
+    boot.loader.efi.canTouchEfiVariables = true;
+
+    # https://github.com/NixOS/nixpkgs/blob/c32c39d6f3b1fe6514598fa40ad2cf9ce22c3fb7/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix#L66
+    boot.loader.systemd-boot.editor = false;
+
+    boot.supportedFilesystems = [
+      "btrfs"
+      "ntfs"
+      "nfs"
+      "cifs"
+    ];
+  };
+}

features-nixos/optional/docker.nix

@@ -0,0 +1,7 @@
+{
+  flake.nixosModules.docker = {
+    virtualisation.docker = {
+      enable = true;
+    };
+  };
+}

features-nixos/optional/flatpak.nix

@@ -0,0 +1,8 @@
+{
+  flake.nixosModules.flatpak = {pkgs, ...}: {
+    services.flatpak.enable = true;
+    xdg.portal.enable = true;
+    xdg.portal.extraPortals = [pkgs.xdg-desktop-portal-gtk];
+    xdg.portal.config.common.default = "*"; # Use first portal implementation found
+  };
+}

features-nixos/optional/gamemode.nix

@@ -0,0 +1,23 @@
+{
+  flake.nixosModules.gamemode = {pkgs, ...}: {
+    programs.gamemode = {
+      enable = true;
+      settings = {
+        general = {
+          softrealtime = "auto";
+          inhibit_screensaver = 1;
+          renice = 5;
+        };
+        # gpu = {
+        #   apply_gpu_optimisations = "accept-responsibility";
+        #   gpu_device = 1;
+        #   amd_performance_level = "high";
+        # };
+        custom = {
+          start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+          end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+        };
+      };
+    };
+  };
+}

features-nixos/optional/gdm.nix

@@ -0,0 +1,15 @@
+{
+  flake.nixosModules.gdm = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    services.xserver.displayManager.gdm = {
+      enable = true;
+    };
+
+    # unlock GPG keyring on login
+    security.pam.services.gdm.enableGnomeKeyring = true;
+  };
+}

features-nixos/optional/greetd.nix

@@ -0,0 +1,39 @@
+{
+  flake.nixosModules.greetd = {config, ...}: let
+    homeCfgs = config.home-manager.users;
+    julianCfg = homeCfgs.julian;
+  in {
+    users.extraUsers.greeter = {
+      # For caching
+      home = "/tmp/greeter-home";
+      createHome = true;
+    };
+
+    programs.regreet = {
+      enable = true;
+      iconTheme = julianCfg.gtk.iconTheme;
+      theme = julianCfg.gtk.theme;
+      # font = julianCfg.fontProfiles.regular; # TODO: do
+      cursorTheme = {
+        inherit (julianCfg.gtk.cursorTheme) name package;
+      };
+      cageArgs = [
+        "-s"
+        "-m"
+        "last"
+      ]; # multimonitor use last monitor
+      # settings.background = {
+      #   path = julianCfg.wallpaper;
+      #   fit = "Cover";
+      # }; # TODO: fix
+
+      # TODO: setting keyboard language does not work
+      # settings = {
+      #   env = {
+      #     XKB_DEFAULT_LAYOUT = "de";
+      #     # XKB_DEFAULT_VARIANT = "altgr-intl";
+      #   };
+      # };
+    };
+  };
+}

features-nixos/optional/i3.nix

@@ -0,0 +1,18 @@
+{
+  flake.nixosModules.i3 = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    services.xserver.windowManager.i3.enable = true;
+    services.xserver.windowManager.i3.package = pkgs.i3-gaps;
+    services.displayManager.defaultSession = "none+i3";
+
+    programs.xss-lock = {
+      # responds to "loginctl lock-session" via dbus
+      enable = true;
+      lockerCommand = "${pkgs.i3lock}/bin/i3lock --ignore-empty-password --color=000000";
+    };
+  };
+}

features-nixos/optional/kerberos.nix

@@ -0,0 +1,25 @@
+{
+  flake.nixosModules.kerberos = {
+    security.krb5.enable = true;
+    security.krb5.settings = {
+      # domain_realm = {
+      #   ".julian-mutter.de" = "julian-mutter.de";
+      #   "julian-mutter.de" = "julian-mutter.de";
+      # };
+      libdefaults = {
+        default_realm = "julian-mutter.de";
+        #   dns_lookup_realm = true;
+        #   dns_lookup_kdc = true;
+        #   ticket_lifetime = "24h";
+        #   renew_lifetime = "7d";
+      };
+      realms = {
+        "julian-mutter.de" = {
+          kdc = ["kerberos.julian-mutter.de"];
+          admin_server = "kerberos-admin.julian-mutter.de";
+          default_domain = "julian-mutter.de";
+        };
+      };
+    };
+  };
+}

features-nixos/optional/openssh.nix

@@ -0,0 +1,51 @@
+{
+  flake.nixosModules.openssh = {
+    outputs,
+    lib,
+    config,
+    ...
+  }: let
+    hosts = lib.attrNames outputs.nixosConfigurations;
+  in {
+    services.openssh = {
+      enable = true;
+      settings = {
+        # Harden
+        PasswordAuthentication = false;
+        PermitRootLogin = "no";
+
+        # TODO: what does this do
+        # Let WAYLAND_DISPLAY be forwarded
+        AcceptEnv = "WAYLAND_DISPLAY";
+        X11Forwarding = true;
+      };
+
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+
+    # TODO: is automatic known hosts file even necessary?
+    # programs.ssh = {
+    #   # Each hosts public key
+    #   knownHosts = lib.genAttrs hosts (hostname: {
+    #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
+    #     extraHostNames =
+    #       [
+    #         # "${hostname}.m7.rs"
+    #       ]
+    #       ++
+    #         # Alias for localhost if it's the same host
+    #         (lib.optional (hostname == config.networking.hostName) "localhost")
+    #       # Alias to m7.rs and git.m7.rs if it's alcyone
+    #       ++ (lib.optionals (hostname == "alcyone") [
+    #         "m7.rs"
+    #         "git.m7.rs"
+    #       ]);
+    #   });
+    # };
+  };
+}

features-nixos/optional/pcmanfm.nix

@@ -0,0 +1,11 @@
+{
+  flake.nixosModules.pcmanfm = {pkgs, ...}: {
+    environment.systemPackages = with pkgs; [
+      shared-mime-info # extended mimetype support
+      lxmenu-data # open with "Installed Applications"
+      pcmanfm
+    ];
+
+    services.gvfs.enable = true; # Mount, trash, and other functionalities
+  };
+}

features-nixos/optional/pipewire.nix

@@ -0,0 +1,30 @@
+{
+  flake.nixosModules.pipewire = {
+    security.rtkit.enable = true;
+    services.pulseaudio.enable = false;
+    services.pipewire = {
+      enable = true;
+      wireplumber.enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+      extraConfig.pipewire = {
+        "99-no-bell" = {
+          # Disable bell sound
+          "context.properties" = {
+            "module.x11.bell" = false;
+          };
+        };
+        "10-increase-buffer" = {
+          "context.properties" = {
+            "default.clock.rate" = 48000;
+            "default.clock.quantum" = 1024;
+            "default.clock.min-quantum" = 1024;
+            "default.clock.max-quantum" = 2048;
+          };
+        };
+      };
+    };
+  };
+}

features-nixos/optional/podman.nix

@@ -0,0 +1,12 @@
+{
+  flake.nixosModules.podman = {config, ...}: let
+    dockerEnabled = config.virtualisation.docker.enable;
+  in {
+    virtualisation.podman = {
+      enable = true;
+      dockerCompat = !dockerEnabled;
+      dockerSocket.enable = !dockerEnabled;
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+}

features-nixos/optional/redshift.nix

@@ -0,0 +1,14 @@
+{
+  flake.nixosModules.redshift = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    # Set location used by redshift
+    location.provider = "manual";
+    location.latitude = 47.92;
+    location.longitude = 10.12;
+    services.redshift.enable = true;
+  };
+}

features-nixos/optional/remote-builder.nix

@@ -0,0 +1,36 @@
+{
+  flake.nixosModules.remote-builder = {
+    nix.distributedBuilds = true;
+    nix.settings.builders-use-substitutes = true;
+
+    nix.buildMachines = [
+      {
+        hostName = "builder.julian-mutter.de";
+        protocol = "ssh";
+        sshUser = "nix";
+        systems = [
+          "x86_64-linux"
+          "aarch64-linux"
+        ];
+        maxJobs = 4;
+        speedFactor = 3;
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+          "kvm"
+        ];
+        mandatoryFeatures = [];
+      }
+      # {
+      #   hostName = "localhost";
+      #   protocol = null;
+      #   systems = [
+      #     "x86_64-linux"
+      #   ];
+      #   maxJobs = 4;
+      #   speedFactor = 1;
+      # }
+    ];
+  };
+}

features-nixos/optional/thunar.nix

@@ -0,0 +1,18 @@
+{
+  flake.nixosModules.thunar = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    programs.thunar.enable = true;
+    programs.xfconf.enable = true; # Persist saved preferences
+    programs.thunar.plugins = with pkgs.xfce; [
+      thunar-archive-plugin
+      thunar-volman
+      thunar-media-tags-plugin
+    ];
+    services.gvfs.enable = true; # Mount, trash, and other functionalities
+    services.tumbler.enable = true; # Thumbnail support for images
+  };
+}

features-nixos/optional/virtualbox.nix

@@ -0,0 +1,14 @@
+{
+  flake.nixosModules.virtualbox = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    virtualisation.virtualbox.host.enable = true;
+    # virtualisation.virtualbox.host.enableExtensionPack = true;
+    # virtualisation.virtualbox.guest.enable = true;
+    # virtualisation.virtualbox.guest.x11 = true;
+    users.extraGroups.vboxusers.members = ["julian"];
+  };
+}

features-nixos/optional/wireguard.nix

@@ -0,0 +1,14 @@
+{
+  flake.nixosModules.wireguard = {
+    networking.wg-quick.interfaces = {
+      julian = {
+        configFile = "/etc/wireguard/julian.conf";
+        autostart = true; # This interface is started on boot
+      };
+      comu = {
+        configFile = "/etc/wireguard/comu.conf";
+        autostart = false;
+      };
+    };
+  };
+}

features-nixos/optional/wireshark.nix

@@ -0,0 +1,11 @@
+{
+  flake.nixosModules.wireshark = {
+    programs.wireshark = {
+      enable = true;
+      dumpcap.enable = true;
+      usbmon.enable = true;
+    };
+
+    users.users.julian.extraGroups = ["wireshark"];
+  };
+}

features-nixos/optional/xserver.nix

@@ -0,0 +1,8 @@
+{
+  flake.nixosModules.xserver = {
+    services.xserver = {
+      enable = true;
+      wacom.enable = true;
+    };
+  };
+}

features-nixos/users/julian/default.nix

@@ -0,0 +1,52 @@
+{
+  flake.nixosModules.users.julian = {
+    pkgs,
+    config,
+    lib,
+    ...
+  }: let
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  in {
+    users.mutableUsers = false;
+    users.users.julian = {
+      description = "Julian";
+      group = "julian";
+      isNormalUser = true;
+      uid = 1000;
+      shell = pkgs.fish;
+      extraGroups = ifTheyExist [
+        "networkmanager"
+        "wheel"
+        "audio"
+        "realtime"
+        "rtkit"
+        "network"
+        "video"
+        "podman"
+        "docker"
+        "git"
+        "gamemode"
+        "dialout"
+      ];
+
+      openssh.authorizedKeys.keys = lib.splitString "\n" (
+        builtins.readFile ../../../../homes/julian/ssh.pub
+      );
+      # hashedPasswordFile = config.sops.secrets.julian-password.path;
+      hashedPassword = "$y$j9T$N33kLJQbV8soUoCbDkpwA1$r/yahJDgOPo4GGOrAi6BUG5zLTzmaBrA5NQ4nno561A";
+      packages = [pkgs.home-manager];
+    };
+    users.groups.julian = {
+      gid = 1000;
+    };
+
+    sops.secrets.julian-password = {
+      sopsFile = ../../secrets.yaml;
+      neededForUsers = true;
+    };
+
+    home-manager.users.julian = import ../../../../homes/julian/${config.networking.hostName}.nix;
+
+    security.pam.services.swaylock = {}; # Make swaylock unlocking work
+  };
+}

features-nixos/users/pob/default.nix

@@ -0,0 +1,30 @@
+{
+  flake.nixosModules.users.pob = {
+    pkgs,
+    config,
+    ...
+  }: let
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  in {
+    users.mutableUsers = false;
+    users.users.pob = {
+      description = "A helper user to use another profile for some applications";
+      group = "pob";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      extraGroups = ifTheyExist [
+        "networkmanager"
+      ];
+      packages = with pkgs; [
+        firefox
+        wineWowPackages.stable # 32-bit and 64-bit wine
+        winetricks
+      ];
+    };
+    users.groups.pob = {};
+
+    security.sudo.extraConfig = ''
+      julian ALL=(pob) NOPASSWD: ALL
+    '';
+  };
+}

features-nixos/users/wolfi/default.nix

@@ -0,0 +1,32 @@
+{
+  flake.nixosModules.users.wolfi = {
+    pkgs,
+    config,
+    ...
+  }: let
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  in {
+    users.mutableUsers = false;
+    users.users.wolfi = {
+      description = "Wolfi";
+      group = "wolfi";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      extraGroups = ifTheyExist [
+        "networkmanager"
+        "wheel"
+        "audio"
+        "network"
+        "video"
+        "podman"
+        "docker"
+        "git"
+        "gamemode"
+      ];
+
+      hashedPassword = "$y$j9T$ifzWjoZaRtPUOOfMYnbJ20$uFOO1EyDApL52vRUicZYgupaTA/a6sGNUj3imZ/lcb6";
+      packages = [pkgs.home-manager];
+    };
+    users.groups.wolfi = {};
+  };
+}

features-nixos/users/yukari/default.nix

@@ -0,0 +1,99 @@
+{
+  flake.nixosModules.users.yukari = {
+    pkgs,
+    config,
+    lib,
+    outputs,
+    ...
+  }: let
+    ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  in {
+    users.mutableUsers = false;
+    users.users.yukari = {
+      description = "Yukari";
+      group = "yukari";
+      isNormalUser = true;
+      shell = pkgs.fish;
+      extraGroups = ifTheyExist [
+        "networkmanager"
+        "audio"
+        "network"
+        "video"
+        "podman"
+        "docker"
+        "git"
+        "gamemode"
+      ];
+
+      createHome = true;
+      hashedPassword = "$y$j9T$rGuTL0rfiy7ht8L58BGCw0$fN.KwHjYlIitFEPHndKvV06ezgeWzP3/58o1kkviZwB";
+      packages = [pkgs.home-manager];
+    };
+    users.groups.yukari = {};
+
+    home-manager.users.yukari = {
+      imports =
+        [
+          ../../../../homes/julian/features/fonts
+          ../../../../homes/julian/features/suites/cli
+        ]
+        ++ (builtins.attrValues outputs.homeManagerModules);
+
+      home = {
+        username = lib.mkDefault "yukari";
+        homeDirectory = lib.mkDefault "/home/${config.home.username}";
+        stateVersion = lib.mkDefault "23.11";
+
+        sessionPath = ["$HOME/.local/bin"];
+
+        packages = with pkgs; [
+          arandr
+          calibre # ebook manager and viewer
+          # digikam
+          discord
+          discord-ptb # in case discord updates take their time
+          # dvdisaster
+          # element-desktop
+          # rocketchat-desktop
+          thunderbird
+          telegram-desktop # telegram
+          # schildichat-desktop # not updated regularly
+          nheko
+          evince # Simple pdf reader, good for focusing on document content
+          firefox
+          vivaldi
+          # geogebra
+          cheese
+          handbrake
+          # kitty # Terminal, already available as feature
+          libnotify
+          libreoffice
+          mate.engrampa
+          nomacs # Image viewer
+          kdePackages.okular # Pdf reader with many features, good for commenting documents
+          pavucontrol
+          qalculate-gtk # Nice gui calculator
+          qpdfview
+          # qutebrowser
+          # realvnc-vnc-viewer
+          # rustdesk
+          tor-browser
+          # frajul.pob-dev-version # Path of Building
+          vlc
+          wineWowPackages.stable # 32-bit and 64-bit wine
+          winetricks
+          xclip # x11 clipboard access from terminal
+          xfce.mousepad # simple text editor
+          xournalpp # Edit pdf files
+          zoom-us # Video conferencing
+          zotero # Manage papers and other sources
+          pdfpc # Present slides in pdf form
+        ];
+      };
+      programs = {
+        home-manager.enable = true;
+        git.enable = true;
+      };
+    };
+  };
+}

flake.nix

@@ -36,6 +36,9 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    import-tree.url = "github:vic/import-tree";
+
     # Various flakes
     yazi-flavors = {
       url = "github:yazi-rs/flavors";
@@ -61,158 +64,163 @@
     };
   };
 
-  outputs = {
+  outputs = inputs:
-    self,
+    inputs.flake-parts.lib.mkFlake {inherit inputs;} (inputs.import-tree
-    nixpkgs,
+      [
-    home-manager,
+        ./hosts
-    systems,
+        ./features-nixos
-    ...
+        ./homes
-  } @ inputs: let
+        ./features-home-manager
-    inherit (self) outputs;
+        # ./modules
-    lib = nixpkgs.lib // home-manager.lib;
+        # ./overlays
-    forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system});
+        # ./packages
-    pkgsFor = lib.genAttrs (import systems) (
+      ]);
-      system:
+  # let
-        import nixpkgs {
+  #   inherit (self) outputs;
-          inherit system;
+  #   lib = nixpkgs.lib // home-manager.lib;
-          config.allowUnfree = true;
+  #   forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system});
-          config.permittedInsecurePackages = [
+  #   pkgsFor = lib.genAttrs (import systems) (
-            "olm-3.2.16"
+  #     system:
-          ];
+  #       import nixpkgs {
-          warn-dirty = false;
+  #         inherit system;
-        }
+  #         config.allowUnfree = true;
-    );
+  #         config.permittedInsecurePackages = [
-  in {
+  #           "olm-3.2.16"
-    inherit lib;
+  #         ];
+  #         warn-dirty = false;
+  #       }
+  #   );
+  # in {
+  #   inherit lib;
 
-    nixosModules = import ./modules/nixos;
+  #   nixosModules = import ./modules/nixos;
-    homeManagerModules = import ./modules/home-manager;
+  #   homeManagerModules = import ./modules/home-manager;
 
-    overlays = import ./overlays {inherit inputs outputs;};
+  #   overlays = import ./overlays {inherit inputs outputs;};
-    # hydraJobs = import ./hydra.nix { inherit inputs outputs; }; # TODO add hydra jobs here?
+  #   # hydraJobs = import ./hydra.nix { inherit inputs outputs; }; # TODO add hydra jobs here?
 
-    packages = forEachSystem (pkgs: import ./pkgs {inherit pkgs;});
+  #   packages = forEachSystem (pkgs: import ./pkgs {inherit pkgs;});
-    devShells = forEachSystem (pkgs: import ./shell.nix {inherit pkgs;});
+  #   devShells = forEachSystem (pkgs: import ./shell.nix {inherit pkgs;});
-    formatter = forEachSystem (pkgs: pkgs.alejandra); # nix fmt *
+  #   formatter = forEachSystem (pkgs: pkgs.alejandra); # nix fmt *
 
-    nixosConfigurations = {
+  #   nixosConfigurations = {
-      # Main laptop
+  #     # Main laptop
-      aspi = lib.nixosSystem {
+  #     aspi = lib.nixosSystem {
-        modules = [
+  #       modules = [
-          ./hosts/aspi
+  #         ./hosts/aspi
-        ];
+  #       ];
-        specialArgs = {
+  #       specialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-      # Piano raspberry pi
+  #     # Piano raspberry pi
-      # pianonix = lib.nixosSystem {
+  #     # pianonix = lib.nixosSystem {
-      #   modules = [./hosts/pianonix];
+  #     #   modules = [./hosts/pianonix];
-      #   specialArgs = {
+  #     #   specialArgs = {
-      #     inherit inputs outputs;
+  #     #     inherit inputs outputs;
-      #   };
+  #     #   };
-      # };
+  #     # };
-      kardorf = lib.nixosSystem {
+  #     kardorf = lib.nixosSystem {
-        modules = [./hosts/kardorf];
+  #       modules = [./hosts/kardorf];
-        specialArgs = {
+  #       specialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-      builder = lib.nixosSystem {
+  #     builder = lib.nixosSystem {
-        modules = [./hosts/builder];
+  #       modules = [./hosts/builder];
-        specialArgs = {
+  #       specialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
 
-    # Standalone HM
+  #   # Standalone HM
-    homeConfigurations = {
+  #   homeConfigurations = {
-      # Main laptop
+  #     # Main laptop
-      "julian@aspi" = lib.homeManagerConfiguration {
+  #     "julian@aspi" = lib.homeManagerConfiguration {
-        modules = [
+  #       modules = [
-          ./homes/julian/aspi.nix
+  #         ./homes/julian/aspi.nix
-          ./homes/julian/hm-standalone-config.nix
+  #         ./homes/julian/hm-standalone-config.nix
-        ];
+  #       ];
-        pkgs = pkgsFor.x86_64-linux;
+  #       pkgs = pkgsFor.x86_64-linux;
-        extraSpecialArgs = {
+  #       extraSpecialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-      # Media server (RPi)
+  #     # Media server (RPi)
-      # "julian@pianonix" = lib.homeManagerConfiguration {
+  #     # "julian@pianonix" = lib.homeManagerConfiguration {
-      #   modules = [
+  #     #   modules = [
-      #     ./homes/julian/pianonix.nix
+  #     #     ./homes/julian/pianonix.nix
-      #     ./homes/julian/hm-standalone-config.nix
+  #     #     ./homes/julian/hm-standalone-config.nix
-      #   ];
+  #     #   ];
-      #   pkgs = pkgsFor.aarch64-linux;
+  #     #   pkgs = pkgsFor.aarch64-linux;
-      #   extraSpecialArgs = {
+  #     #   extraSpecialArgs = {
-      #     inherit inputs outputs;
+  #     #     inherit inputs outputs;
-      #   };
+  #     #   };
-      # };
+  #     # };
-      "julian@kardorf" = lib.homeManagerConfiguration {
+  #     "julian@kardorf" = lib.homeManagerConfiguration {
-        modules = [
+  #       modules = [
-          ./homes/julian/kardorf.nix
+  #         ./homes/julian/kardorf.nix
-          ./homes/julian/hm-standalone-config.nix
+  #         ./homes/julian/hm-standalone-config.nix
-        ];
+  #       ];
-        pkgs = pkgsFor.x86_64-linux;
+  #       pkgs = pkgsFor.x86_64-linux;
-        extraSpecialArgs = {
+  #       extraSpecialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-      "julian@v3ms" = lib.homeManagerConfiguration {
+  #     "julian@v3ms" = lib.homeManagerConfiguration {
-        modules = [
+  #       modules = [
-          ./homes/julian/v3ms
+  #         ./homes/julian/v3ms
-          ./homes/julian/hm-standalone-config.nix
+  #         ./homes/julian/hm-standalone-config.nix
-        ];
+  #       ];
-        pkgs = pkgsFor.x86_64-linux;
+  #       pkgs = pkgsFor.x86_64-linux;
-        extraSpecialArgs = {
+  #       extraSpecialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-      "julian@quickstart" = lib.homeManagerConfiguration {
+  #     "julian@quickstart" = lib.homeManagerConfiguration {
-        modules = [
+  #       modules = [
-          ./homes/julian/quickstart.nix
+  #         ./homes/julian/quickstart.nix
-          ./homes/julian/hm-standalone-config.nix
+  #         ./homes/julian/hm-standalone-config.nix
-        ];
+  #       ];
-        pkgs = pkgsFor.x86_64-linux;
+  #       pkgs = pkgsFor.x86_64-linux;
-        extraSpecialArgs = {
+  #       extraSpecialArgs = {
-          inherit inputs outputs;
+  #         inherit inputs outputs;
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
 
-    # deploy-rs node configuration
+  #   # deploy-rs node configuration
-    deploy.nodes = {
+  #   deploy.nodes = {
-      # pianonix = {
+  #     # pianonix = {
-      #   hostname = "pianonix.local";
+  #     #   hostname = "pianonix.local";
-      #   profiles.system = {
+  #     #   profiles.system = {
-      #     sshUser = "root";
+  #     #     sshUser = "root";
-      #     user = "root";
+  #     #     user = "root";
-      #     path = inputs.deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pianonix;
+  #     #     path = inputs.deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pianonix;
-      #     confirmTimeout = 90; # default: 30s; raspberrypi takes a little longer restarting services
+  #     #     confirmTimeout = 90; # default: 30s; raspberrypi takes a little longer restarting services
-      #   };
+  #     #   };
-      # };
+  #     # };
 
-      builder = {
+  #     builder = {
-        hostname = "builder.julian-mutter.de";
+  #       hostname = "builder.julian-mutter.de";
-        profiles.system = {
+  #       profiles.system = {
-          sshUser = "root";
+  #         sshUser = "root";
-          user = "root";
+  #         user = "root";
-          path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.builder;
+  #         path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.builder;
-          remoteBuild = true;
+  #         remoteBuild = true;
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
 
-    # substitutes: nixos-generate --flake .#pianonix -f sd-aarch64 --system aarch64-linux
+  #   # substitutes: nixos-generate --flake .#pianonix -f sd-aarch64 --system aarch64-linux
-    pianonix-image = inputs.nixos-generators.nixosGenerate {
+  #   pianonix-image = inputs.nixos-generators.nixosGenerate {
-      system = "aarch64-linux";
+  #     system = "aarch64-linux";
-      format = "sd-aarch64";
+  #     format = "sd-aarch64";
-      modules = [./hosts/pianonix];
+  #     modules = [./hosts/pianonix];
-      specialArgs = {
+  #     specialArgs = {
-        inherit inputs outputs;
+  #       inherit inputs outputs;
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
 }

hosts/aspi/default.nix

@@ -1,62 +1,72 @@
 {
-  imports = [
+  inputs,
-    ./hardware-configuration.nix
+  self,
-
+  ...
-    ../common/global
+}: {
-    ../common/users/julian
+  flake.nixosConfigurations.aspi = inputs.nixpkgs.lib.nixosSystem {
-    ../common/users/yukari
+    modules = [
-    ../common/users/pob
+      self.nixosModules.hosts.aspi
-    ../common/optional/binarycaches.nix
+    ];
-
-    ../common/optional/remote-builder.nix
-    ../common/optional/boot-efi.nix
-
-    ../common/optional/greetd.nix
-    ../common/optional/authentication.nix
-    ../common/optional/pcmanfm.nix
-    ../common/optional/pipewire.nix
-
-    ../common/optional/gamemode.nix
-    ../common/optional/virtualbox.nix
-
-    ../common/optional/podman.nix
-    ../common/optional/wireguard.nix
-    ../common/optional/wireshark.nix
-    ../common/optional/flatpak.nix
-
-    ../common/optional/avahi.nix
-  ];
-
-  networking.hostName = "aspi";
-  system.stateVersion = "24.05";
-
-  # networking.firewall.checkReversePath = false; # Makes wg interface with all ips work
-
-  modules = {
-    syncthing = {
-      enable = true;
-      overrideSettings = false;
-    };
-    frajulAutoUpgrade = {
-      enable = true;
-      flakePath = "/home/julian/.dotfiles";
-    };
   };
 
-  programs.hyprland.enable = true;
+  flake.nixosModules.hosts.aspi = {
-  services.desktopManager.plasma6.enable = true;
+    imports = [
+      ../common/global
+      ../common/users/julian
+      ../common/users/yukari
+      ../common/users/pob
+      ../common/optional/binarycaches.nix
 
-  services.blueman.enable = true;
+      ../common/optional/remote-builder.nix
-  services.upower.enable = true;
+      ../common/optional/boot-efi.nix
 
-  programs.steam.enable = true;
+      ../common/optional/greetd.nix
+      ../common/optional/authentication.nix
+      ../common/optional/pcmanfm.nix
+      ../common/optional/pipewire.nix
 
-  # TODO: not working
+      ../common/optional/gamemode.nix
-  # services.logind.lidSwitch = "lock";
+      ../common/optional/virtualbox.nix
-  # services.logind.lidSwitchDocked = "lock";
 
-  programs.kdeconnect.enable = true;
+      ../common/optional/podman.nix
+      ../common/optional/wireguard.nix
+      ../common/optional/wireshark.nix
+      ../common/optional/flatpak.nix
 
-  # Enable touchpad support
+      ../common/optional/avahi.nix
-  services.libinput.enable = true;
+    ];
+
+    networking.hostName = "aspi";
+    system.stateVersion = "24.05";
+
+    # networking.firewall.checkReversePath = false; # Makes wg interface with all ips work
+
+    modules = {
+      syncthing = {
+        enable = true;
+        overrideSettings = false;
+      };
+      frajulAutoUpgrade = {
+        enable = true;
+        flakePath = "/home/julian/.dotfiles";
+      };
+    };
+
+    programs.hyprland.enable = true;
+    services.desktopManager.plasma6.enable = true;
+
+    services.blueman.enable = true;
+    services.upower.enable = true;
+
+    programs.steam.enable = true;
+
+    # TODO: not working
+    # services.logind.lidSwitch = "lock";
+    # services.logind.lidSwitchDocked = "lock";
+
+    programs.kdeconnect.enable = true;
+
+    # Enable touchpad support
+    services.libinput.enable = true;
+  };
 }

hosts/aspi/hardware-configuration.nix

@@ -1,78 +1,80 @@
 {
-  config,
+  flake.nixosModules.hosts.aspi = {
-  lib,
+    config,
-  ...
+    lib,
-}: {
+    ...
-  boot.initrd.availableKernelModules = [
+  }: {
-    "vmd"
+    boot.initrd.availableKernelModules = [
-    "xhci_pci"
+      "vmd"
-    "ahci"
+      "xhci_pci"
-    "nvme"
+      "ahci"
-    "usb_storage"
+      "nvme"
-    "usbhid"
+      "usb_storage"
-    "sd_mod"
+      "usbhid"
-  ];
+      "sd_mod"
-  boot.initrd.kernelModules = ["dm-snapshot"];
+    ];
-  boot.kernelModules = ["kvm-intel"];
+    boot.initrd.kernelModules = ["dm-snapshot"];
-  boot.extraModulePackages = [];
+    boot.kernelModules = ["kvm-intel"];
-  boot.blacklistedKernelModules = ["pcspkr"]; # Disables "beep"
+    boot.extraModulePackages = [];
-  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+    boot.blacklistedKernelModules = ["pcspkr"]; # Disables "beep"
+    boot.binfmt.emulatedSystems = ["aarch64-linux"];
 
-  boot.initrd.luks.devices = {
+    boot.initrd.luks.devices = {
-    root = {
+      root = {
-      device = "/dev/disk/by-uuid/a4dc9a2c-725b-4252-8fbb-093a271c31ba";
+        device = "/dev/disk/by-uuid/a4dc9a2c-725b-4252-8fbb-093a271c31ba";
-      preLVM = true;
+        preLVM = true;
-      allowDiscards = true;
+        allowDiscards = true;
+      };
     };
-  };
 
-  fileSystems."/" = {
+    fileSystems."/" = {
-    device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
+      device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
-    fsType = "btrfs";
+      fsType = "btrfs";
-    options = [
+      options = [
-      "subvol=root"
+        "subvol=root"
-      "compress=zstd"
+        "compress=zstd"
+      ];
+    };
+
+    fileSystems."/home" = {
+      device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
+      fsType = "btrfs";
+      options = [
+        "subvol=home"
+        "compress=zstd"
+      ];
+    };
+
+    fileSystems."/nix" = {
+      device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
+      fsType = "btrfs";
+      options = [
+        "subvol=nix"
+        "compress=zstd"
+        "noatime"
+      ];
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/disk/by-uuid/7040-F37C";
+      fsType = "vfat";
+    };
+
+    swapDevices = [
+      {device = "/dev/disk/by-uuid/26140b4a-0579-406d-a484-35aa31b32e80";}
     ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+    powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    hardware.nvidia.open = false;
   };
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
-    fsType = "btrfs";
-    options = [
-      "subvol=home"
-      "compress=zstd"
-    ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/disk/by-uuid/bbc45be3-75f5-40c5-8427-2a425de8422c";
-    fsType = "btrfs";
-    options = [
-      "subvol=nix"
-      "compress=zstd"
-      "noatime"
-    ];
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/7040-F37C";
-    fsType = "vfat";
-  };
-
-  swapDevices = [
-    {device = "/dev/disk/by-uuid/26140b4a-0579-406d-a484-35aa31b32e80";}
-  ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-  hardware.nvidia.open = false;
 }

hosts/builder/default.nix

@@ -2,352 +2,362 @@
 # or
 # deploy .#builder
 {
-  config,
+  inputs,
-  pkgs,
+  self,
   ...
 }: {
-  imports = [
+  flake.nixosConfigurations.builder = inputs.nixpkgs.lib.nixosSystem {
-    ./hardware-configuration.nix
+    modules = [
-
+      self.nixosModules.hosts.builder
-    ../common/global/fish.nix # fish for admin
-    ../common/global/locale.nix
-    ../common/global/nix.nix
-    ../common/global/sops.nix
-    ../common/global/root.nix
-  ];
-
-  networking.hostName = "builder";
-  system.stateVersion = "23.11";
-
-  networking.networkmanager.enable = true;
-  networking.nameservers = [
-    "192.168.3.252"
-    "172.30.20.10"
-    "1.1.1.1"
-  ];
-
-  users.mutableUsers = false;
-  users.users.nix = {
-    isNormalUser = true;
-    description = "Nix";
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-      "docker"
     ];
   };
 
-  nix.settings.experimental-features = [
+  flake.nixosModules.hosts.builder = {
-    "nix-command"
+    config,
-    "flakes"
+    pkgs,
-  ];
+    ...
-
+  }: {
-  # Setup binary caches
+    imports = [
-  nix.settings = {
+      ../common/global/fish.nix # fish for admin
-    substituters = [
+      ../common/global/locale.nix
-      "https://nix-community.cachix.org"
+      ../common/global/nix.nix
-      "https://cache.nixos.org/"
+      ../common/global/sops.nix
-      "https://hyprland.cachix.org"
+      ../common/global/root.nix
-      "https://devenv.cachix.org"
-    ];
-    trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-      "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
     ];
 
-    trusted-users = ["nix"];
+    networking.hostName = "builder";
-    max-jobs = "auto";
+    system.stateVersion = "23.11";
-    cores = 0;
 
-    # Ensure we can still build when missing-server is not accessible
+    networking.networkmanager.enable = true;
-    fallback = true;
+    networking.nameservers = [
-  };
+      "192.168.3.252"
-
+      "172.30.20.10"
-  # system.autoUpgrade = {
+      "1.1.1.1"
-  #   enable = true;
-  #   flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
-  #   flags = [
-  #     "--recreate-lock-file" # update lock file
-  #   ];
-  #   dates = "02:13";
-  # };
-
-  # optimize store by hardlinking store files
-  nix.optimise.automatic = true;
-  nix.optimise.dates = ["03:15"];
-
-  # nix.gc.automatic = true;
-  # nix.gc.dates = "daily";
-  # nix.gc.options = "--delete-old";
-
-  # nix.settings.keep-derivations = false;
-  # nix.settings.keep-outputs = true;
-
-  # Garbage collect up to 100 GiB when only 20 GiB storage left
-  nix.extraOptions = ''
-    min-free = ${toString (20 * 1024 * 1024 * 1024)}
-    max-free = ${toString (100 * 1024 * 1024 * 1024)}
-  '';
-
-  nix.nrBuildUsers = 64;
-
-  # prevent memory to get filled
-  systemd.services.nix-daemon.serviceConfig = {
-    MemoryAccounting = true;
-    MemoryMax = "90%";
-    OOMScoreAdjust = 500;
-  };
-
-  # Ollama used by open-webui as llm backend
-  services.ollama = {
-    enable = true;
-    # acceleration = "rocm";
-    openFirewall = true;
-  };
-
-  services.nextjs-ollama-llm-ui = {
-    enable = true;
-    hostname = "192.168.3.118";
-    port = 3001;
-  };
-  # services.open-webui = {
-  #   enable = true;
-  #   port = 8080;
-  #   openFirewall = true;
-  #   host = "builder.julian-mutter.de";
-  # };
-
-  networking.firewall.allowedTCPPorts = [
-    80
-    3001 # ollama-ui
-  ];
-
-  services.openssh = {
-    enable = true;
-    # require public key authentication for better security
-    settings.PasswordAuthentication = false;
-    settings.KbdInteractiveAuthentication = false;
-    settings.PermitRootLogin = "yes";
-    # Add older algorithms for jenkins ssh-agents-plugin to be compatible
-    settings.Macs = [
-      "hmac-sha2-512-etm@openssh.com"
-      "hmac-sha2-256-etm@openssh.com"
-      "umac-128-etm@openssh.com"
-      "hmac-sha2-512"
-      "hmac-sha2-256"
-      "umac-128@openssh.com"
     ];
-    settings.KexAlgorithms = [
-      "diffie-hellman-group-exchange-sha1"
-      "diffie-hellman-group14-sha1"
-      "mlkem768x25519-sha256"
-      "sntrup761x25519-sha512"
-      "sntrup761x25519-sha512@openssh.com"
-      "curve25519-sha256"
-      "curve25519-sha256@libssh.org"
-      "diffie-hellman-group-exchange-sha256"
-    ];
-  };
-  users.users."root".openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
-  ];
-  users.users."nix".openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIQ+qMuXvyoxO1DuCR3/x+IQRfSA2WyMuzuotWZjCye root@aspi"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
-  ];
 
-  # security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
+    users.mutableUsers = false;
-
+    users.users.nix = {
-  services.hydra = {
+      isNormalUser = true;
-    enable = true;
+      description = "Nix";
-    hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
+      extraGroups = [
-    port = 3000;
+        "networkmanager"
-    notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
+        "wheel"
-    # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+        "docker"
-    # buildMachinesFiles = [ ];
-    # you will probably also want, otherwise *everything* will be built from scratch
-    useSubstitutes = true;
-
-    minimumDiskFree = 5; # in GB
-    minimumDiskFreeEvaluator = 4; # in GB
-  };
-
-  # add builder itself as build machine so system emulation is properly supported
-  # nix.distributedBuilds = true;
-  nix.buildMachines = [
-    {
-      hostName = "localhost";
-      protocol = null;
-      # sshUser = "nix";
-      systems = [
-        "x86_64-linux"
-        "aarch64-linux"
       ];
-      maxJobs = 4;
+    };
-      speedFactor = 3;
+
-      supportedFeatures = [
+    nix.settings.experimental-features = [
-        "nixos-test"
+      "nix-command"
-        "benchmark"
+      "flakes"
-        "big-parallel"
+    ];
-        "kvm"
+
+    # Setup binary caches
+    nix.settings = {
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://cache.nixos.org/"
+        "https://hyprland.cachix.org"
+        "https://devenv.cachix.org"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
       ];
-    }
-  ];
 
-  # Uris allowed as flake inputs, otherwise hydra does not fetch them
+      trusted-users = ["nix"];
-  nix.settings.allowed-uris = [
+      max-jobs = "auto";
-    "github:"
+      cores = 0;
-    "gitlab:"
-    "git+https://github.com/hyprwm/Hyprland"
-    "https://github.com/hyprwm/Hyprland"
-    "https://github"
-    "https://gitlab"
-    "https://gitlab.julian-mutter.de"
-    "git+https://gitlab.julian-mutter.de"
-  ];
 
-  services.nginx = {
+      # Ensure we can still build when missing-server is not accessible
-    enable = true;
+      fallback = true;
-    recommendedProxySettings = true;
+    };
-    # recommendedTlsSettings = true;
+
-    # other Nginx options
+    # system.autoUpgrade = {
-    virtualHosts."hydra.julian-mutter.de" = {
+    #   enable = true;
-      # enableACME = true;
+    #   flake = "git+https://gitlab.julian-mutter.de/julian/dotfiles";
-      # forceSSL = true;
+    #   flags = [
-      locations."/" = {
+    #     "--recreate-lock-file" # update lock file
-        proxyPass = "http://127.0.0.1:3000";
+    #   ];
-        # proxyWebsockets = true; # needed if you need to use WebSocket
+    #   dates = "02:13";
-        # extraConfig =
+    # };
-        #   # required when the target is also TLS server with multiple hosts
+
-        #   "proxy_ssl_server_name on;" +
+    # optimize store by hardlinking store files
-        #   # required when the server wants to use HTTP Authentication
+    nix.optimise.automatic = true;
-        #   "proxy_pass_header Authorization;"
+    nix.optimise.dates = ["03:15"];
-        #   ;
+
+    # nix.gc.automatic = true;
+    # nix.gc.dates = "daily";
+    # nix.gc.options = "--delete-old";
+
+    # nix.settings.keep-derivations = false;
+    # nix.settings.keep-outputs = true;
+
+    # Garbage collect up to 100 GiB when only 20 GiB storage left
+    nix.extraOptions = ''
+      min-free = ${toString (20 * 1024 * 1024 * 1024)}
+      max-free = ${toString (100 * 1024 * 1024 * 1024)}
+    '';
+
+    nix.nrBuildUsers = 64;
+
+    # prevent memory to get filled
+    systemd.services.nix-daemon.serviceConfig = {
+      MemoryAccounting = true;
+      MemoryMax = "90%";
+      OOMScoreAdjust = 500;
+    };
+
+    # Ollama used by open-webui as llm backend
+    services.ollama = {
+      enable = true;
+      # acceleration = "rocm";
+      openFirewall = true;
+    };
+
+    services.nextjs-ollama-llm-ui = {
+      enable = true;
+      hostname = "192.168.3.118";
+      port = 3001;
+    };
+    # services.open-webui = {
+    #   enable = true;
+    #   port = 8080;
+    #   openFirewall = true;
+    #   host = "builder.julian-mutter.de";
+    # };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      3001 # ollama-ui
+    ];
+
+    services.openssh = {
+      enable = true;
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+      settings.PermitRootLogin = "yes";
+      # Add older algorithms for jenkins ssh-agents-plugin to be compatible
+      settings.Macs = [
+        "hmac-sha2-512-etm@openssh.com"
+        "hmac-sha2-256-etm@openssh.com"
+        "umac-128-etm@openssh.com"
+        "hmac-sha2-512"
+        "hmac-sha2-256"
+        "umac-128@openssh.com"
+      ];
+      settings.KexAlgorithms = [
+        "diffie-hellman-group-exchange-sha1"
+        "diffie-hellman-group14-sha1"
+        "mlkem768x25519-sha256"
+        "sntrup761x25519-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group-exchange-sha256"
+      ];
+    };
+    users.users."root".openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFcS+3d1tNgHmYCjueymCV9Bd2LcJcKGhVobrDe3r0s julian@kardorf"
+    ];
+    users.users."nix".openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjSZYdoF/51F+ykcBAYVCzCPTF5EEigWBL1APiR0h+H julian@aspi"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIQ+qMuXvyoxO1DuCR3/x+IQRfSA2WyMuzuotWZjCye root@aspi"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHnfLJnS2SKUs47J0qpLTkk0LQA5quOuAhnxE6yppUDm root@kardorf"
+    ];
+
+    # security.pam.sshAgentAuth.enable = true; # enable sudo via ssh
+
+    services.hydra = {
+      enable = true;
+      hydraURL = "http://hydra.julian-mutter.de"; # externally visible URL
+      port = 3000;
+      notificationSender = "hydra@julian-mutter.de"; # e-mail of hydra service
+      # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+      # buildMachinesFiles = [ ];
+      # you will probably also want, otherwise *everything* will be built from scratch
+      useSubstitutes = true;
+
+      minimumDiskFree = 5; # in GB
+      minimumDiskFreeEvaluator = 4; # in GB
+    };
+
+    # add builder itself as build machine so system emulation is properly supported
+    # nix.distributedBuilds = true;
+    nix.buildMachines = [
+      {
+        hostName = "localhost";
+        protocol = null;
+        # sshUser = "nix";
+        systems = [
+          "x86_64-linux"
+          "aarch64-linux"
+        ];
+        maxJobs = 4;
+        speedFactor = 3;
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+          "kvm"
+        ];
+      }
+    ];
+
+    # Uris allowed as flake inputs, otherwise hydra does not fetch them
+    nix.settings.allowed-uris = [
+      "github:"
+      "gitlab:"
+      "git+https://github.com/hyprwm/Hyprland"
+      "https://github.com/hyprwm/Hyprland"
+      "https://github"
+      "https://gitlab"
+      "https://gitlab.julian-mutter.de"
+      "git+https://gitlab.julian-mutter.de"
+    ];
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      # recommendedTlsSettings = true;
+      # other Nginx options
+      virtualHosts."hydra.julian-mutter.de" = {
+        # enableACME = true;
+        # forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3000";
+          # proxyWebsockets = true; # needed if you need to use WebSocket
+          # extraConfig =
+          #   # required when the target is also TLS server with multiple hosts
+          #   "proxy_ssl_server_name on;" +
+          #   # required when the server wants to use HTTP Authentication
+          #   "proxy_pass_header Authorization;"
+          #   ;
+        };
+      };
+
+      virtualHosts."binarycache.julian-mutter.de" = {
+        locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+      };
+
+      clientMaxBodySize = "2G";
+      virtualHosts."cache.julian-mutter.de" = {
+        locations."/".proxyPass = "http://127.0.0.1:8080";
       };
     };
 
-    virtualHosts."binarycache.julian-mutter.de" = {
+    # =========== Gitea actions ==========
-      locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+    services.gitea-actions-runner.instances."builder" = {
+      enable = true;
+      url = "https://gitlab.julian-mutter.de";
+      name = "builder";
+      tokenFile = config.sops.secrets."gitea_token".path;
+      labels = [
+        # provide a debian base with nodejs for actions
+        "debian-latest:docker://node:18-bullseye"
+        # fake the ubuntu name, because node provides no ubuntu builds
+        "ubuntu-latest:docker://node:18-bullseye"
+        # devenv
+        "devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
+        # provide native execution on the host
+        "nixos:host"
+      ];
     };
 
-    clientMaxBodySize = "2G";
+    virtualisation.docker.enable = true;
-    virtualHosts."cache.julian-mutter.de" = {
+
-      locations."/".proxyPass = "http://127.0.0.1:8080";
+    # TODO: podman fails with: "cannot resolve hostname"
+    # virtualisation.podman = {
+    #   enable = true;
+    #   dockerCompat = true;
+    #   defaultNetwork.settings.dns_enabled = true;
+    # };
+
+    sops.secrets."gitea_token" = {
+      owner = config.users.users.nix.name;
+      sopsFile = ./secrets.yaml;
     };
-  };
 
-  # =========== Gitea actions ==========
+    # =========== Binary Cache ==========
-  services.gitea-actions-runner.instances."builder" = {
+    services.nix-serve = {
-    enable = true;
+      enable = true;
-    url = "https://gitlab.julian-mutter.de";
+      secretKeyFile = "/var/cache-priv-key.pem";
-    name = "builder";
+    };
-    tokenFile = config.sops.secrets."gitea_token".path;
-    labels = [
-      # provide a debian base with nodejs for actions
-      "debian-latest:docker://node:18-bullseye"
-      # fake the ubuntu name, because node provides no ubuntu builds
-      "ubuntu-latest:docker://node:18-bullseye"
-      # devenv
-      "devenv:docker://ghcr.io/cachix/devenv/devenv:latest"
-      # provide native execution on the host
-      "nixos:host"
-    ];
-  };
 
-  virtualisation.docker.enable = true;
+    # =========== Binary Cache with attic ==========
+    sops.secrets."attic_token".sopsFile = ./secrets.yaml;
 
-  # TODO: podman fails with: "cannot resolve hostname"
+    services.atticd = {
-  # virtualisation.podman = {
+      enable = true;
-  #   enable = true;
+      environmentFile = config.sops.secrets."attic_token".path;
-  #   dockerCompat = true;
+      settings = {
-  #   defaultNetwork.settings.dns_enabled = true;
+        listen = "[::]:8080";
-  # };
 
-  sops.secrets."gitea_token" = {
+        jwt = {};
-    owner = config.users.users.nix.name;
-    sopsFile = ./secrets.yaml;
-  };
 
-  # =========== Binary Cache ==========
+        # Data chunking
-  services.nix-serve = {
-    enable = true;
-    secretKeyFile = "/var/cache-priv-key.pem";
-  };
-
-  # =========== Binary Cache with attic ==========
-  sops.secrets."attic_token".sopsFile = ./secrets.yaml;
-
-  services.atticd = {
-    enable = true;
-    environmentFile = config.sops.secrets."attic_token".path;
-    settings = {
-      listen = "[::]:8080";
-
-      jwt = {};
-
-      # Data chunking
-      #
-      # Warning: If you change any of the values here, it will be
-      # difficult to reuse existing chunks for newly-uploaded NARs
-      # since the cutpoints will be different. As a result, the
-      # deduplication ratio will suffer for a while after the change.
-      chunking = {
-        # The minimum NAR size to trigger chunking
         #
-        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # Warning: If you change any of the values here, it will be
-        # If 1, all NARs are chunked.
+        # difficult to reuse existing chunks for newly-uploaded NARs
-        nar-size-threshold = 64 * 1024; # 64 KiB
+        # since the cutpoints will be different. As a result, the
+        # deduplication ratio will suffer for a while after the change.
+        chunking = {
+          # The minimum NAR size to trigger chunking
+          #
+          # If 0, chunking is disabled entirely for newly-uploaded NARs.
+          # If 1, all NARs are chunked.
+          nar-size-threshold = 64 * 1024; # 64 KiB
 
-        # The preferred minimum size of a chunk, in bytes
+          # The preferred minimum size of a chunk, in bytes
-        min-size = 16 * 1024; # 16 KiB
+          min-size = 16 * 1024; # 16 KiB
 
-        # The preferred average size of a chunk, in bytes
+          # The preferred average size of a chunk, in bytes
-        avg-size = 64 * 1024; # 64 KiB
+          avg-size = 64 * 1024; # 64 KiB
 
-        # The preferred maximum size of a chunk, in bytes
+          # The preferred maximum size of a chunk, in bytes
-        max-size = 256 * 1024; # 256 KiB
+          max-size = 256 * 1024; # 256 KiB
+        };
       };
     };
-  };
 
-  services.gitlab-runner.enable = true;
+    services.gitlab-runner.enable = true;
-  # runner for everything else
+    # runner for everything else
-  #
+    #
-  sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
+    sops.secrets."gitlab_runner_token".sopsFile = ./secrets.yaml;
-  services.gitlab-runner.services.default = {
+    services.gitlab-runner.services.default = {
-    # File should contain at least these two variables:
+      # File should contain at least these two variables:
-    authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
+      authenticationTokenConfigFile = config.sops.secrets."gitlab_runner_token".path;
-    dockerImage = "alpine:latest";
+      dockerImage = "alpine:latest";
-    dockerVolumes = [
+      dockerVolumes = [
-      "/var/run/docker.sock:/var/run/docker.sock"
+        "/var/run/docker.sock:/var/run/docker.sock"
-    ];
+      ];
-  };
+    };
 
-  ### Jenkins node
+    ### Jenkins node
-  users.users.jenkins = {
+    users.users.jenkins = {
-    createHome = true;
+      createHome = true;
-    home = "/var/lib/jenkins";
+      home = "/var/lib/jenkins";
-    group = "jenkins";
+      group = "jenkins";
-    isNormalUser = true;
+      isNormalUser = true;
-    openssh.authorizedKeys.keys = [
+      openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ36sQhVz3kUEi8754G7r3rboihhG4iqFK/UvQm6SING jenkins@home"
-    ];
+      ];
-    packages = with pkgs; [
+      packages = with pkgs; [
-      git
+        git
-      devenv
+        devenv
-    ];
+      ];
-    extraGroups = [
+      extraGroups = [
-      "docker"
+        "docker"
-    ];
+      ];
-  };
+    };
 
-  users.groups.jenkins = {};
+    users.groups.jenkins = {};
-  programs.java = {
+    programs.java = {
-    enable = true;
+      enable = true;
-    package = pkgs.jdk21; # Same as jenkins version on home
+      package = pkgs.jdk21; # Same as jenkins version on home
+    };
   };
 }

hosts/builder/hardware-configuration.nix

@@ -1,50 +1,52 @@
-{lib, ...}: {
+{
-  boot.initrd.availableKernelModules = [
+  flake.nixosModules.hosts.builder = {lib, ...}: {
-    "ata_piix"
+    boot.initrd.availableKernelModules = [
-    "uhci_hcd"
+      "ata_piix"
-    "virtio_pci"
+      "uhci_hcd"
-    "virtio_scsi"
+      "virtio_pci"
-    "sd_mod"
+      "virtio_scsi"
-    "sr_mod"
+      "sd_mod"
-  ];
+      "sr_mod"
-  # boot.initrd.kernelModules = [ "amdgpu" ]; # GPU support
+    ];
-  boot.kernelModules = [];
+    # boot.initrd.kernelModules = [ "amdgpu" ]; # GPU support
-  boot.extraModulePackages = [];
+    boot.kernelModules = [];
+    boot.extraModulePackages = [];
 
-  fileSystems."/" = {
+    fileSystems."/" = {
-    device = "/dev/disk/by-uuid/f088fe8e-bf3d-4a89-98bd-ead9852d381f";
+      device = "/dev/disk/by-uuid/f088fe8e-bf3d-4a89-98bd-ead9852d381f";
-    fsType = "ext4";
+      fsType = "ext4";
+    };
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+    # hardware.graphics = {
+    #   enable = true;
+    #   extraPackages = with pkgs; [
+    #     rocmPackages.clr.icd
+    #     linuxPackages.amdgpu-pro
+    #   ];
+    # };
+
+    # boot.kernelParams = [
+    #   "radeon.si_support=0"
+    #   "radeon.cik_support=1"
+    #   "amdgpu.si_support=0"
+    #   "amdgpu.cik_support=1"
+    # ];
+    # boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
+    # boot.blacklistedKernelModules = [ "radeon" ];
+
+    boot.loader.grub.enable = true;
+    boot.loader.grub.device = "/dev/sda";
+
+    # Emulated systems used as alternative to cross-compiling
+    boot.binfmt.emulatedSystems = ["aarch64-linux"];
   };
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-
-  # hardware.graphics = {
-  #   enable = true;
-  #   extraPackages = with pkgs; [
-  #     rocmPackages.clr.icd
-  #     linuxPackages.amdgpu-pro
-  #   ];
-  # };
-
-  # boot.kernelParams = [
-  #   "radeon.si_support=0"
-  #   "radeon.cik_support=1"
-  #   "amdgpu.si_support=0"
-  #   "amdgpu.cik_support=1"
-  # ];
-  # boot.extraModulePackages = with config.boot.kernelPackages; [ amdgpu-pro ];
-  # boot.blacklistedKernelModules = [ "radeon" ];
-
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  # Emulated systems used as alternative to cross-compiling
-  boot.binfmt.emulatedSystems = ["aarch64-linux"];
 }

hosts/common/global/auto-upgrade.nix

@@ -1,16 +0,0 @@
-{
-  inputs,
-  config,
-  ...
-}: {
-  system.hydraAutoUpgrade = {
-    # Only enable if not dirty
-    enable = inputs.self ? rev;
-    dates = "*:0/10"; # Every 10 minutes
-    instance = "http://hydra.julian-mutter.de";
-    project = "dotfiles";
-    jobset = "main";
-    job = "hosts.${config.networking.hostName}";
-    oldFlakeRef = "self";
-  };
-}